Online computer maintenance utilizing a virtual machine monitor

ABSTRACT

Online computer maintenance is performed on at least one node. A virtual machine monitor is run; a first operating instance is run on the virtual machine monitor; and a second operating system instance is run on the virtual machine monitor as a substitute for the first instance. The maintenance is performed with respect to one of the instances while using the other of the instances.

BACKGROUND

Typical maintainance operations on server-class computers includereplacing faulty hardware and adding new hardware (e.g., I/O adapterboards, memory cards, CPUs), upgrading and patching operating systems,upgrading and patching software applications, and performing serverreconfiguration. The maintenance may be performed offline. Offlinemaintenance on a server can involve stopping or rebooting the server'soperating system, and shutting off power to the server. These steps leadto an accumulation of “downtime” (that is, time during which theapplications are not providing service). While the server is down,hardware or software or both can be serviced. After servicing, theserver may be rebooted, and the applications restarted.

It is desirable for businesses to minimize server downtime. Downtime cancause interruptions in critical services, result in a loss of customers(who, inconvenienced by poor service, seek better service elsewhere),and reduce productivity of employees. In addition, the downtime canincrease the cost of server operation.

Servers having online maintenance capability can avoid downtime incertain instances. The online maintenance capability can be engineeredinto computer hardware and operating systems. A server having onlinemaintenance capability can allow maintenance on particular subcomponentswithout stopping the system as a whole. For example, a server equippedwith “PCI Hot Plug” allows a PCI card to be added or replaced whileapplications that do not depend on that card continue to run. Similarly,operating systems with “dynamic kernel modules” allow softwarecomponents in dynamic modules to be added, replaced, or removed atruntime. Only those applications that are dependent on that module needrestart.

However, not all servers have online maintenance capability.Retrofifting these online maintenance capabilities into existing serversand their operating systems and applications can be prohibitivelychallenging. Moreover, a redesigned legacy system having onlinemaintenance features does not help those who want to continue using anexisting version of that system.

SUMMARY

According to one aspect of the present invention, online computermaintenance is performed on at least one node. A virtual machine monitoris run; a first operating instance is run on the virtual machinemonitor; a second operating system instance is run on the virtualmachine monitor as a substitute for the first instance, and themaintenance is performed with respect to one of the instances whileusing the other of the instances.

Other aspects and advantages of the present invention will becomeapparent from the following detailed description, taken in conjunctionwith the accompanying drawings, illustrating by way of example theprinciples of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of an exemplary node in accordance with anembodiment of the present invention

FIG. 2 is an illustration of a method in accordance with an embodimentof the present invention.

FIGS. 3 a-3 d are illustrations of a method of servicing hardware inaccordance with an embodiment of the present invention.

FIG. 4 is an illustration of a method of adding hardware in accordancewith an embodiment of the present invention.

FIG. 5 a is an illustration of a method of performing operating systemmaintenance in accordance with an embodiment of the present invention.

FIG. 5 b is an illustration of a method of performing applicationmaintenance in accordance with an embodiment of the present invention.

FIG. 6 is an illustration of a method of performing online computermaintenance in accordance with another embodiment of the presentinvention.

FIG. 7 is an illustration of a method of performing online computermaintenance in accordance with yet another embodiment of the presentinvention.

DETAILED DESCRIPTION

As shown in the drawings for purposes of illustration, the presentinvention is embodied in a method for performing online computermaintenance on a node. The maintenance includes, but is not limited toservicing hardware and software, performing hardware and softwarereconfiguration, tuning hardware, and modifying software (e.g.upgrading, patching, tuning). Examples of servicing these resourcesincludes adding new memory; replacing or adding I/O devices, adaptersand controllers; replacing faulty CPUs in multiprocessors; upgrading,patching, reconfiguring and rebooting operating systems; and upgradingand patching applications.

An exemplary node 110 is illustrated in FIG. 1. The node 110 includes acomputer 112 having a processing unit 114, memory 116, and otherhardware 118. The processing unit 114 may include a single processor ormultiple processors. Memory for storing a virtual machine monitor (VMM),applications, and operating system(s) may be located in the computer 112or another node. The computer 112 is not limited to any particular type.Examples of computers include file servers, web servers, workstations,mainframes, personal computers, personal digital assistants (PDAs),print servers, and network appliances.

Reference is made to FIG. 2, which illustrates a method of performingonline computer maintenance. The VMM is run on the node (210). The VMMis a layer of software that runs between a physical layer (raw hardware)of the computer and an operating system (“OS”) layer. The VMM may beloaded during bootup of the computer. At boot time, the VMM can receivecontrol of the hardware, and may maintain hardware control until thecomputer is shut down.

One or more OS instances are run on the VMM (212). The VMM allowsmultiple OS instances to run simultaneously in the computer. When theVMM starts an OS instance, it may configure the hardware to trap whenthe OS instance executes privileged instructions (e.g., instructionsthat perform I/O, instructions that load a translation lookasidebuffer). When one of these traps occurs, the VMM simulates theinstruction and thus creates an illusion that the OS instance has solecontrol of the hardware on which it runs. The OS instances may beinstances of the same operating system, or instances of differentoperating systems.

A first one of the OS instances is used (214). For example, the OSinstance may be used by running applications on it. A web server is butone example of an application.

At some point in time, a decision is made to perform online maintenanceon the node. For example, the decision might be made by a systemadministrator.

A second operating system instance is run as a substitute for the firstinstance (216). The substitute (second) OS instance is intended toprovide the same services as the first OS instance by taking over theservices temporarily or permanently. The second OS instance is run onthe same VMM. The first and second OS instances may be instances of thesame or different operating systems.

Maintenance is performed with respect to one of the first and secondinstances while using the other of those instances (218). Thus,maintenance can be performed with respect to the first OS instance whilethe second OS instance is being used, or maintenance can be performedwith respect to the second OS instance while the first OS instance isbeing used. The choice will depend upon the type of computer maintenancethat is performed. This will become clear from the examples below ofhardware and software maintenance.

Since at least one of the first and second OS instances is being usedduring the maintenance, the maintenance is performed without incurringdowntime. As a benefit, applications can be run on the one OS instancewhile the other OS instance is being serviced.

If online maintenance requires the second OS instance to be used whilemaintenance is performed with respect to the first OS instance,applications can be migrated from the first OS instance to the second OSinstance. This application migration can take several forms. Applicationmigration for web servers, for example, can be as simple as redirectingrequests sent to that application to an instance of the applicationalready running on the second OS instance. In other cases,administrators can migrate an application by terminating it on the firstOS instance and restarting it on the second OS instance. Data structuresof the application may have to be restored on the second OS instance.Transparent process migration can also be used to move runningapplications from one OS instance to another. With process migration,the first OS instance or runtime environment encapsulates the processuser-level and kernel-level data structures, moves them to the second OSinstance, and recovers the process there in a manner that is largely orentirely transparent to the application. Techniques from failurerecovery literature, such as full-process checkpointing, messagelogging, and process pairs can be used to implement process migration.Once the applications have been migrated, a user can continue using theapplications that are running on the second OS instance.

Application migration could occur from the first OS instance to thesecond OS instance, and back to the first OS instance. Applicationmigration could occur before the maintenance is performed, or after themaintenance is performed. The specifics will depend upon the type ofcomputer maintenance that is performed. This too will become clear fromthe examples below of hardware and software maintenance.

Additional steps may be performed after the online maintenance has beencompleted (220). For example, the first OS instance may be rebooted, andthe second OS instance may be shut down. Or the second OS instance maycontinue in place of the first OS instance. The additional steps willdepend upon the type of computer maintenance that is performed, as willbecome clear from the examples below of hardware and softwaremaintenance.

The steps 216-220 can be initiated by a system administrator. The systemadministrator can run the substitute OS on the VMM (216), perform themaintenance (218), and complete any additional steps (220). In thealternative, these steps 216-220 can be initiated by software.

The VMM is designed to support these steps 216-220. For example, the VMMmight be designed to prevent or shield an OS instance from seeing thehardware to be removed or added; trapping and emulating probes of I/Ospace by an OS instance; etc. This list of functions is not exhaustive.These additional functions will depend upon the type of computermaintenance that is performed. The VMM could even be designed toinitiate these steps 216-220.

The method is not limited to a single node. A single node was describedabove merely to simplify the description of the online maintenancemethod. In a cluster environment having multiple nodes, the onlinemaintenance may be performed on multiple nodes simultaneously, withoutrequiring spare nodes. Applications could not only migrate to othernodes in the cluster, but could also migrate from one OS instance toanother within the same node.

Several examples of online computer maintenance will now be provided. Afirst example relates to hardware removal, a second example relates tohardware addition, and a third example relates to software maintenance.

Reference is now made to FIGS. 3 a-3 d, which illustrate an example ofhardware removal. A computer is already running a VMM 312 on hardware310, a first OS instance 314 on the VMM 312, and an application 316 onthe first OS instance 314 (FIG. 3 a). The first OS instance 314 has adependency on the hardware to be removed.

The VMM 312 creates a second OS instance 318, which does not have adependency on the hardware to be removed (FIG. 3 b). When the second OSinstance is created, it attempts to discover hardware in the computer.However, the VMM can prevent or shield an OS instance from seeing thehardware to be removed. Shielding can be performed in any number ofways. As an example, a platform has firmware that handles hardwareresource discovery by probing the hardware and filling in a hardwaredescription table. The firmware then passes the table to a booting OSinstance to identify the hardware resources. Before, the table is passedto the booting OS instance, however, the VMM or other privilegedsoftware entity modifies the table to prevent the OS from seeing thehardware to be removed.

As another example, the VMM can trap I/O space “probes”, and misinformthe booting second OS instance about the result of a probe. During boot,an OS typically determines a hardware configuration by probing I/O spaceand by querying various registers maintained by the hardware. Forexample, the booting OS instance might read an address associated witheach slot in a PCI bus. A value of −1, for example, could indicate thatthe slot is empty. By trapping those probes and queries and setting thevalues (e.g., returning a value of −1), the VMM 312 can make sure thatthe second OS instance 318 doesn't discover the hardware to be removed.

The VMM 312 migrates the application 316 from the first OS instance 314to the second OS instance 318 (FIG. 3 c), and thereafter shuts down thefirst OS instance (FIG. 3 d). Before removing the hardware, the systemadministrator may invoke a program that instructs the node to preparefor device removal. For example, if the hardware change includesremoving a card from a bus slot, the system administrator may invoke aprogram that powers down the bus slot used by that card.

Before the hardware is removed, the VMM 312 releases its owndependencies on that hardware. In many instances, this will involveshutting down the VMM driver (if any) for the hardware to be removed.The VMM 312 may also adjust its own hardware map and interrupt tables.RAM removal is slightly more complicated because the VMM's datastructures can depend quite broadly on the memory to be removed. Toeliminate the dependency of the VMM 312 on that memory, the VMM 312 canmove any code or data it is maintaining on those physical pages to a newlocation (a safe range of memory), and continue to use the code or dataat the new location. If the VMM 312 is designed to use virtual memory,each in-use page can be backed from the region to be moved with a newpage of physical memory (by making simple changes to the page table ofthe VMM), and copy the old pages to the new. However, if the VMM 312uses directly physical memory, then the code and data structures of theVMM 312 is constructed with sufficient indirection to allow theirbacking pages to be copied to another location.

The hardware is removed safely while the user uses the second OSinstance 318 and the application 316 running on the second OS instance318. The only time the application stopped during this maintenance wasduring migration. Although the length of this stoppage will depend onthe particular migration technique employed, migrating an applicationfrom one OS instance to another on the same physical machine can beperformed very quickly so as to be barely noticeable (if noticeable atall) to a user.

This first example can be extended to servicing other than hardwareremoval. For example, switches on the hardware can be flipped, pins canbe set, and so forth while the second OS instance is being used. Afterthe hardware has been serviced, the VMM could run its resource discoveryalgorithm to rediscover the serviced hardware.

Reference is now made to FIG. 4, which illustrates an example of addinghardware to a node. A VMM is already running in the node, a first OSinstance is running on the VMM, and an application is running on thefirst OS instance. For example, the application is a web server, and thesystem administrator decides to add a memory card a month after bootup.

The administrator begins by running a program that instructs the node toprepare for hardware addition (410). For example, if the hardwareaddition includes adding a card to a bus slot, the program powers downthat bus slot. Hardware is then added to the computer (412).

While the hardware is being added, the VMM hides the existence of theadded hardware from the first OS instance (414). This may includeshielding the first OS instance from interrupts by the added hardware,and trapping and emulating probes of I/O space by the first OS instance.

The VMM discovers the added hardware (416). For some servers, this mayentail rerunning the VMM resource discovery algorithm. Other platformsmay generate a CPU interrupt upon hardware addition, which the VMM thenservices. If the VMM is maintaining device drivers for the added device,the VMM triggers the relevant device driver's initialization routine.The VMM adjusts its own hardware maps and interrupt tables so thatinterrupts from the new hardware are serviced by the correct routines.

The VMM runs a second OS instance on the virtual machine monitor afterthe hardware has been added (418). The VMM allows the second OS instanceto discover the added hardware (418). Exposing the hardware can involveletting I/O space probes by the booting OS “see” the existence of theadded hardware. As a result, the added hardware is configured into thebooting instance.

After the second OS instance has been booted, the application ismigrated from the first OS instance to the second OS instance (422), andthe VMM shuts down the first OS instance (424). The user continues touse the application running on the second OS instance. Thus hardware isadded without incurring downtime.

Reference is now made to FIG. 5 a, which illustrates an example ofperforming OS maintenance on a computer already running a VMM and afirst OS instance. A second OS instance is run on the virtual machinemonitor (510); applications are migrated from the first instance to thesecond instance (512).

The software maintenance can be performed before or after theapplications are migrated. The software maintenance can be performed onthe applications, operating system or both. One of the instances may beshut down after maintenance and application migration have beenperformed.

As a first example, a second instance is booted on the VMM, where thesecond instance is a new version of an operating system. Theapplications are migrated to the second instance after the secondinstance has booted, and the first instance is shut down after theapplication migration.

As a second example, a second instance is booted on the VMM, where thesecond instance is an old version of the operating system. After thesecond instance has been booted, it is patched or upgraded. Theapplications are migrated from the first instance to the patched secondinstance. The first instance is shut down after the applicationmigration.

As a third example, the second operating system is booted, theapplications are migrated to the second instance, and the first instanceis reconfigured. Reconfiguration might include changing tunableparameters, changing a domain name or IP address, etc. After beingreconfigured, the first instance is restarted. Applications are migratedfrom the second instance to the reconfigured first instance. The secondinstance is shut down after application migration.

Reference is now made to FIG. 5 b, which illustrates an example ofperforming maintenance on an application. Prior to maintenance, a firstinstance of the application is running on a first OS instance, and thefirst OS instance running on a VMM. The application maintenance mayinclude running a substitute OS instance on the VMM (550), running asecond instance of the application on the substitute OS instance (552),and making changes to the second application instance (554). After thechanges have been made, a cut over is made from the first applicationinstance to the second application instance (e.g., by redirecting arequest stream from the first application instance to the secondapplication instance). The first OS instance and first applicationinstance are then shut down (556).

The first and second application instances could be run on the same OSinstance instead of different OS instances. However, there areadvantages to running the first and second application instances ondifferent OS instances. One advantage is the avoidance of conflictsbetween the two application instances.

The virtual machine monitor adds overhead to the node. This overhead canreduce performance of the node. However, various approaches may be usedto reduce the overhead.

As a first example, the virtual machine monitor partitions hardware toreduce the overhead. Such a virtual machine monitor is disclosed inassignee's U.S. Ser. No. ______ filed ______ (attorney docket no.200208635-1), which is incorporated herein by reference.

As a second example, the first OS instance is booted on the hardwareprior to running the VMM (610). When the maintenance is to be performed(612), the VMM is interposed beneath the first operating systeminstance, the second OS instance is run on the VMM (614), and themaintenance is performed with respect to one of the OS instances whileusing the other of the instances (616). This method is illustrated inFIG. 6. Interposition of a VMM is disclosed in assignee's U.S. Ser. No.______ (attorney docket no. 200208633-1), which is incorporated hereinby reference.

A third example is illustrated in FIG. 7. A VMM is run on a node (710),and maintenance is performed (712). After the maintenance has beenperformed, the VMM is devirtualized (714). The devirtualization may bepartial or full. Full devirtualization includes devirtualizing the CPU,memory and I/O of the node. Partial devirtualization includesdevirtualizing any one or two of the CPU, memory and I/ODevirtualization of memory is disclosed in assignee's U.S. Ser. No.______ (attorney docket no. 200300561-1), which is incorporated hereinby reference; and devirtualization of I/O is disclosed in assignee'sU.S. Ser. No. ______ (attorney docket no. 200309154-1), which is alsoincorporated herein by reference. Full devirtualization is alsodisclosed in assignee's U.S. Ser. No. ______ (attorney docket no.200208633-1). If the VMM is fully devirtualized, it may be unloaded frommemory (716).

Thus disclosed are non-invasive methods of performing maintenance on acomputer, without shutting down the computer. The maintenance isnon-invasive because it does not require re-engineering of the operatingsystem and hardware. The maintenance can be performed on legacy systemsthat don't support hot swapping and other forms of on-line maintenance.

The present invention is not limited to the specific embodimentsdescribed and illustrated above. Instead, the present invention isconstrued according to the claims that follow.

1. A method of performing online computer maintenance on at least onenode, the method comprising: running a virtual machine monitor; runninga first operating instance on the virtual machine monitor; running asecond operating system instance on the virtual machine monitor as asubstitute for the first instance; and performing the maintenance withrespect to one of the instances while using the other of the instances.2. The method of claim 1, wherein the second operating system is run asa substitute by migrating at least one application from the firstinstance to the second instance, and using the migrated applications onthe second instance.
 3. The method of claim 1, further comprisingshutting down the first instance after the second instance has been runas a substitute.
 4. The method of claim 1, wherein the maintenanceincludes hardware servicing; and wherein the second operating systeminstance is run without a dependency on the hardware to be serviced. 5.The method of claim 4, wherein the servicing includes removing thehardware from a node.
 6. The method of claim 4, wherein the virtualmachine monitor is used to hide the hardware to be serviced from thesecond instance during bootup of the second instance.
 7. The method ofclaim 4, wherein the virtual machine monitor releases its owndependencies on that hardware prior to removal.
 8. The method of claim1, wherein the maintenance includes hardware addition; wherein thevirtual machine monitor discovers the added hardware; and wherein thevirtual machine monitor shields the first operating system instance fromthe hardware as the hardware is being added.
 9. The method of claim 8,wherein the hardware is added before the second instance is booted; andwherein the second instance is allowed during bootup to see the addedhardware.
 10. The method of claim 1, wherein applications running on thefirst operating system instance are migrated to the second instance; andwherein software maintenance is performed.
 11. The method of claim 10,further comprising shutting down one of the instances after theapplications have been migrated.
 12. The method of claim 1, wherein thesecond operating system instance is an upgraded operating system; andwherein applications running on the first operating system instance aremigrated to the second instance.
 13. The method of claim 1, wherein themaintenance includes modifying the second operating system instance; andwherein the method further includes migrating applications running onthe first operating system instance to the second instance.
 14. Themethod of claim 1, further comprising migrating applications from thefirst instance to the second instance before the maintenance isperformed; migrating the applications from the second instance back tothe first instance after the maintenance has been performed; andshutting down the second instance following the application migration tothe first instance.
 15. The method of claim 1, wherein a firstapplication instance is running on the first operating system instancebefore the maintenance is performed; and wherein the maintenanceincludes running a second application instance on the second OSinstance, and modifying the second application instance, and cuttingover from the first application instance to the modified secondapplication instance.
 16. The method of claim 1, wherein the virtualmachine monitor allows at least one of the operating system instances tohave direct control over at least one of a processing unit, memory andI/O of the at least one node.
 17. The method of claim 1, wherein firstinstance is booted prior to running the virtual machine monitor; andwherein the virtual machine monitor is interposed beneath the firstoperating system instance when maintenance is to be performed.
 18. Themethod of claim 1, wherein at least one of a processing unit, memory andI/O is devirtualized after the maintenance has been performed.
 19. Themethod of claim 1, wherein a single processor is used to run the virtualmachine monitor and the multiple operating system instances.
 20. Themethod of claim 1, wherein a single node is used to run the virtualmachine monitor and the multiple operating system instances.
 21. A nodecomprising a processing unit and memory for the processing unit, thememory encoded with a virtual machine monitor and an operating system,the virtual machine monitor running a second instance of the operatingsystem when a first instance is already running in the node, the secondinstance being run when maintenance is to be performed, the secondinstance being a substitute for the first instance, the virtual machinemonitor allowing the maintenance to be performed with respect to one ofthe instances while using the other of the instances.
 22. The node ofclaim 21, wherein the second operating system is run as a substitute bymigrating at least one application from the first instance to the secondinstance, and using the migrated applications on the second instance.23. The node of claim 21, wherein the virtual machine monitor shuts downthe first instance after the second instance has been run as asubstitute.
 24. The node of claim 23, wherein the virtual machinemonitor is used to hide the hardware to be serviced from the secondinstance during bootup of the second instance.
 25. The node of claim 21,wherein the maintenance includes hardware addition; wherein the virtualmachine monitor discovers the added hardware; and wherein the virtualmachine monitor shields the first operating system instance from thehardware as the hardware is being added.
 26. The node of claim 25,wherein the hardware is added before the second instance is booted; andwherein during bootup the virtual machine monitor allows second instanceto see the added hardware.
 27. The node of claim 21, whereinapplications running on the first operating system instance are migratedto the second instance; and wherein software maintenance is performed.28. The node of claim 21, wherein the maintenance includes modifying thesecond operating system instance; and wherein applications running onthe first operating system instance are migrated to the second instance.29. The node of claim 21, wherein applications are migrated from thefirst instance to the second instance before the maintenance isperformed; the applications are migrated from the second instance backto the first instance after the maintenance has been performed; andwherein the virtual machine monitor shuts down the second instancefollowing the application migration to the first instance.
 30. The nodeof claim 21, wherein the virtual machine monitor allows at least one ofthe operating system instances to have direct control over at least oneof a processing unit, memory and I/O of the at least one node.
 31. Thenode of claim 21, wherein first instance is booted prior to running thevirtual machine monitor; and wherein the virtual machine monitor isinterposed beneath the first operating system instance when maintenanceis to be performed.
 32. The node of claim 21, wherein the virtualmachine monitor devirtualizes at least one of a processing unit, memoryand I/O after the maintenance has been performed.
 33. An article for aprocessing unit of a node, the article comprising computer memoryencoded with a virtual machine monitor for running first and secondinstances of an operating system, the second instance being run whenmaintenance on the node is to be performed, the second instance being asubstitute for the first instance, the virtual machine monitor allowingthe maintenance to be performed with respect to one of the instanceswhile using the other of the instances.
 34. The article of claim 33,wherein the virtual machine monitor shuts down the first instance afterthe second instance has been run as a substitute.
 35. The article ofclaim 34, wherein the virtual machine monitor is used to hide thehardware to be serviced from the second instance during bootup of thesecond instance.
 36. The article of claim 33, wherein the maintenanceincludes hardware addition; wherein the virtual machine monitordiscovers the added hardware; and wherein the virtual machine monitorshields the first operating system instance from the hardware as thehardware is being added.
 37. The article of claim 36, wherein thehardware is added before the second instance is booted; and whereinduring bootup the virtual machine monitor allows second instance to seethe added hardware.
 38. The article of claim 33, wherein the virtualmachine monitor causes applications running on the first operatingsystem instance to be migrated to the second instance; whereby softwaremaintenance can be performed.
 39. The article of claim 33, wherein themaintenance includes modifying the second operating system instance; andwherein the virtual machine monitor causes applications running on thefirst operating system instance to be migrated to the second instance.40. The article of claim 33, wherein the virtual machine monitor causesapplications to be migrated from the first instance to the secondinstance before the maintenance is performed; wherein the virtualmachine monitor causes the applications to be migrated from the secondinstance back to the first instance after the maintenance has beenperformed; and wherein the virtual machine monitor shuts down the secondinstance following the application migration to the first instance. 41.The article of claim 33, wherein the virtual machine monitor allows atleast one of the operating system instances to have direct control overat least one of a processing unit, memory and I/O of the at least onenode.
 42. The article of claim 33, wherein first instance is bootedprior to running the virtual machine monitor; and wherein the virtualmachine monitor is interposed beneath the first operating systeminstance when maintenance is to be performed.
 43. The article of claim33, wherein the virtual machine monitor can devirtualize at least one ofa processing unit, memory and I/O after the maintenance has beenperformed.